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(54) Simplified security for handoff in wireless communications 



(57) The defined boundaries in a network are 
pushed down to the base station level. Doing so neces- 
sitates authentication each time a wireless terminal 
switches communication, or "handoffs" from one base 
station to another. To achieve such authentication in an 
efficient manner, security information, i.e., the derived 
information, is transferred from one base station directly 
to another. By directly it is meant without accessing any 
other source of the derived information, although the in- 
formation may be transferred via other intervening 
nodes of the network that form an interconnection path 
for the base stations. A simplified network, i.e., a net- 
work with reduced hierarchy from a control point of view, 
e.g., one that only requires home location register and 
base station network entities along with interconnection 
therefore, may be employed with a minimal decrease in 
performance, e.g., a minimal increase in delay, during 
the handoff process. In one embodiment of the inven- 
tion, a first base station which initially receives a service 
request froma wireless terminal requests authentication 
information from a central security node and receives in 
response at least, one, but typically two or more, sets of 
security information. When it is time for a handoff from 
the first base station to a second base station, the first 
base station transmits to the second base station at 
least one of the sets of security information it received 
from the central security node. The second base station 
then uses the information it received from the first base 
station to authenticate the wireless terminal. 
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Description 
Technical Field 

[0001] This invention relates to the art of wireless 
communication, and more particularly, to a system of in- 
suring that only authorized users of the network provid- 
ing wireless communications services are granted ac- 
cess to the network. 

Background of the Invention 

[0002] Prior art wireless systems only permit author- 
ized wireless terminals to have access to the wireless 
network. In order to permit a wireless terminai access 
to the network the wireless terminal must be authenti- 
cated. The term "authentication" is used herein in the 
conventional manner, e.g., the process of verifying that 
an entity is really that who it alleges it is. Authentication 
may be needed multiple times during the duration of a 
call, e.g., originally when the call is initiated and there- 
after each time the wireless terminal makes a transition 
across any defined boundary in the network. 
[0003] Authentication is achieved by comparing infor- 
mation derived from secret information stored in the 
wireless terminal with the same derived information ex- 
isting somewhere else in the network. Typically the de- 
rived information must be transmitted each time a new 
authentication is required for a particular wireless termi- 
nal during the course of a single call from the storage 
location of the derived information that is "closest" to the 
location of the comparison, where "closest" is in terms 
of network hierarchy. 

[0004] A wireless terminal communicates with a base 
station via an airlink. If the base station is not the location 
of the comparison, the base station must forward infor- 
mation from the wireless terminal to the location of the 
comparison for use in the comparison. The location in 
the network in which the derived information is stored is 
typically in a so-called "visitor location register" (VLR). 
The derived information is generated in the network at 
a so-called "home location register" (HLR) or other au- 
thentication center as may be present, depending on the 
particular network design. When a wireless terminal 
crosses a network boundary that separates the area 
served by a first VLR to the area served by a second 
VLR, the first VLR may forward the derived information 
to the second VLR for its use. Alternatively the second 
VLR may obtain its own derived information from the 
HLR. Note that the HLR may act as a VLR when the 
wireless terminal first powers up in an area directly 
served by the HLR. 

[0005] Disadvantageously, the cost of the prior art 
network is high, because of the various specialized en- 
tities therein and the complex control procedures re- 
quired. 



Summary of the Invention 

[0006] We have realized that network architecture 
may be simplified, and the costs relating to network in- 
5 stallation reduced, by pushing the defined boundaries 
in the network down to the base station level. However, 
a result of doing so is that authentication is required 
each time a wireless terminal switches communication 
from one base station to another. In other words, after 
10 pushing the defined boundaries down to the base sta- 
tion level, each time there is a handoff of the wireless 
terminal from one base station to another a network 
boundary is crossed and authentication is required. To 
achieve such authentication in an efficient manner, in 
'5 accordance with the principles of the invention, security 
information, i.e., the derived information, is transferred 
from one base station directly to another. Note that by 
directly it is meant without accessing any other source 
of the derived information, although the information may 
be transferred via other intervening nodes of the net- 
work that form an interconnection path for the base sta- 
tions. Advantageously, a simplified network, i.e., a net- 
work with reduced hierarchy from a control point of view, 
e.g., one that only requires HLR and base station net- 
work entities along with interconnection therefore, may 
be employed with a minimal decrease in performance, 
e.g., a minimal increase in delay, during the handoff 
process. 

[0007] More specifically, in one embodiment of the in- 
vention, a first base station which initially receives a 
service request from a wireless terminal requests au- 
thentication information from a central security node, e. 
g., an HLR, and receives in response at least, one, but 
typically two or more, sets of security information. The 
sets of security information may be a password, a chal- 
lenge-response pair, a challenge-response cipher key 
tuple, or the like. When it is time for a handoff from the 
first base station to a second base station, the first base 
station transmits to the second base station at least one 
of the sets of security information it received from the 
central security node. The second base station then us- 
es the information it received from the first base station 
to authenticate the wireless terminal, and/or engage in 
encrypted communication. 

Brief Description of the Drawing 

[0008] In the drawing: 

FIG. 1 shows an exemplary network arrangement 
in accordance with the principles of the invention; 
and 

FIG. 2 shows an exemplary process, in flow chart 
form, for performing a handoff between the base 
stations of FIG. 1 in accordance with the principles 
of the invention. 
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Detailed Description 

[0009] The following merely illustrates the principles 
of the invention. It will thus be appreciated that those 
skilled in the art will be able to devise various arrange- 
ments which, although not explicitly described or shown 
herein, embody the invention, 
[0010] Thus, for example, It will be appreciated by 
those skilled in the art that the block diagrams herein 
represent conceptual views of illustrative circuitry em- 
bodying the principles of the invention. Similarly, it will 
be appreciated that any flow charts, flow diagrams, state 
transition diagrams, pseudocode, and the like represent 
various processes which may be substantially repre- 
sented in computer readable medium and so executed 
by a computer or processor, whether or not such com- 
puter or processor is explicitly shown. 
[0011] The functions of the various elements shown 
in the FIGs., including functional blocks labeled as 
"processors" may be provided through the use of dedi- 
cated hardware as well as hardware capable of execut- 
ing software in association with appropriate software. 
When provided by a processor, the functions may be 
provided by a single dedicated processor, by a single 
shared processor, or by a plurality of individual proces- 
sors, some of which may be shared. Moreover, explicit 
use of the term "processor" or "controller" should not be 
construed to refer exclusively to hardware capable of 
executing software, and may implicitly include, without 
limitation, digital signal processor (DSP) hardware, 
read-only memory. (ROM) for storing software, random 
access memory (RAM), and non-volatile storage. Other 
hardware, conventional and/or custom, may also be in- 
cluded. Similarly, any switches shown in the FIGS, are 
conceptual only. Their function may be carried out 
through the operation of program logic, through dedicat- 
ed logic, through the interaction of program control and 
dedicated logic, or even manually, the particular tech- 
nique being selectable by the implementor as more spe- 
cifically understood from the context. 
[001 2] In the claims hereof any element expressed as 
a means for performing a specified function is intended 
to encompass any way of performing that function in- 
cluding, for example, a) a combination of circuit ele- 
ments which performs that function orb) software in any 
form, including, therefore, firmware, microcode or the 
like, combined with appropriate circuitry for executing 
that software to perform the function. 
[0013] Unless otherwise explicitly specified herein, 
the drawings are not drawn to scale. 
[0014] FIG. 1 shows an exemplary network arrange- 
ment in accordance with the principles of the invention. 
Shown in FIG. 1 are a) wireless terminal 1 01 ; b) N base 
stations 103, where N is an integer greater than or equal 
to 2, including base station 103-1 through 103-N; c) N 
antennas 1 05, including antennas 1 05-1 through 1 05-N; 
d) N structures 107, including structures 107-1 through 
107-N; e) N cells 109, including cells 109-1 through 



1 09-N ; f) network 1 1 1 ; g) base station authentication unit 
113; h) N communication links 115, including communi- 
cation links 115-1 through 115-N; i) communication links 
1 1 7 and 1 21 ; j) security center 1 1 9. 

5 [0015] Wireless terminal 101 is able to communicate 
with multiple base stations which transmit with sufficient 
signal strength to be detected and useable for commu- 
nication at the current location of wireless terminal 1 01 . 
Once a signal of sufficient strength is detected for a par- 

10 ticutar base station, wireless terminal 1 01 may engage 
in communication with that base station. The particular 
types of wireless link and protocol, i.e., the air interface, 
employed by wireless terminal 1 01 are not essential to 
the invention and may be any type desired by the imple- 

15 mentor, although of course the radio link and protocol 
employed by wireless terminal 101 must be the same 
type employed by base stations 103. 
[0016] Wireless terminal 1 01 may achieve communi- 
cation with multiple base stations in any manner desired 

20 by the implementer. For example, wireless terminal 1 01 
may have only a single receiver, and it may receive sig- 
nals, when not occupied with the exchange of informa- 
tion with the base station currently serving it, from other 
base stations that have signals of sufficient strength 

25 reaching wireless terminal 101. Alternatively, wireless 
terminal 101 may receive signals from multiple base sta- 
tions simultaneously, e.g., by employing multiple paral- 
lel receivers in wireless terminal 101. Further alterna- 
tively, wireless terminal 101 may have more than one 

30 receiver, but the number of receivers is less than the 
number of base stations from which wireless terminal 
1 01 can receive a signal of sufficient strength at its cur- 
rent location, so wireless terminal 101 needs to perform 
scanning on at least one of its receivers to obtain signals 

35 for some of the base stations. 

[0017] Base stations 103 are substantially conven- 
tional base stations except for the following. First, base 
stations 103 need not be connected to a dedicated net- 
work for inter-base-station communication. Instead, 

40 base stations 1 03 can employ a shared public network, 
e.g., an internet protocol (IP)-based network such as the 
Internet. Second, each base station 1 03 need not con- 
tain any "map" information. Instead, each of base sta- 
tions 1 03 is capable of discovering its necessary por- 

45 tions of the "map" information. Preferably, base stations 
103 are small base stations that can easily be incorpo- 
rated into a small space, e.g., one that is already avail- 
able, rather than requiring dedicated construction and 
site preparation. Advantageously, such small size, cou- 

50 pied with the ability to discover the necessary portions 
of the "map" information, enable the rapid construction 
of a new wireless communication network. Furthermore, 
such a wireless communication network is flexible in its 
architecture, i.e., base stations can easily be added or 

55 removed, and it is also easy to maintain. 

[001 8] Each of antennas 1 05 are coupled to a respec- 
tive one of base stations 103. Each of antennas 105 ra- 
diates the signal developed by its respective one of base 
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stations 1 03. Each combination of a one of base stations 
1 03 and its respective one of antennas 1 05 yields a one 
of cells 109, which is a particular coverage area. The 
shape of cells 1 09 in FIG. 1 do not represent actual cell 
shapes but instead are merely conventional notation for 
cells. Note that the shape of the actual various cells 1 09 
are all independent. 

[0019] Each of structures 107 provides a facility In 
which to place one or more of base stations 103. Fur- 
thermore, structures 107 may also provide a place on 
which to mount antennas 105. For example, some of 
structures 107 may be already existing homes in which 
a one of base stations 1 03 is located in an unused space 
and to which a one of antennas 1 05 is exteriorly affixed. 
[0020] Network 1 1 1 provides a way for base stations 
103 to communicate with each other, as well as with 
base station authentication unit 113 and security center 
119. Network 111 may be made up of various subnet- 
works, which may be networks in their own right. Fur- 
thermore, the various subnetworks may be of different 
types and may employ different protocols. In one em- 
bodiment of the invention, network 1 1 1 is a packet based 
network, e.g., an asynchronous transfer mode (ATM) 
network or an IP network. 

[0021 ] Each of base stations 1 03 is connected to net- 
work 111 via a respective one of communication links 
1 1 5, which may be construed as part of network 1 1 1 . For 
example, where network 111 , or at least a subnetwork 
thereof, is an IP network, and one of base stations 1 03 
are located within structures 1 07 that are homes, com- 
munications link 115 may be an Internet connection, e. 
g., over cable television lines or a fiber-to-the curb con- 
nection, that is shared by the base station for commu- 
nicating with other base stations and by the occupants 
of the home for Internet browsing. 
[0022] Base station authentication unit 113 contains 
a list of all valid base stations 103, and any associated 
information such as security keys and alternative iden- 
tifiers or addresses of the base station. A base station 
may be listed in base station authentication unit 113 at 
any point. However, the base station only becomes valid 
once it is listed in base station authentication unit 113. 
Although shown herein as a single unit, in practice base 
station authentication unit 113 may be made up of sev- 
eral parts, which need not be geographically collocated. 
Furthermore, to improve reliability and performance, 
some or all of the various parts or functions of base sta- 
tion authentication unit 113 may be replicated, as will be 
readily recognized by those of ordinary skill in the art. 
[0023] Base station authentication unit 113 is con- 
nected to network 111 via communication link 117. Of 
course, when base station authentication unit 113 is 
made up of more than one part, or is replicated, com- 
munication link 1 1 7 is construed as covering all the nec- 
essary communications paths between network 1 1 1 and 
the various parts or replicas. 

[0024] Security center 119 contains a list of ail valid 
wireless terminals that may be served. In addition, se- 



curity center 1 1 9 contains security information, such as 
authentication challenge-response pairs and/or encryp- 
tion keys associated with each wireless terminal. The 
security information may be distributed by security cent- 
5 er 119 to base stations 103, as necessary. A wireless 
terminal may be listed in security center 1 1 9 at any point. 
However, the wireless terminal only becomes valid once 
it is listed in security center 119. Although shown herein 
as a single unit, in practice security center 119 may be 
made up of several parts, which need not be geograph- 
ically collocated. Furthermore, to improve reliability and 
performance, some or all of the various parts or func- 
tions of security center 1 1 9 may be replicated, as will be 
readily recognized by those of ordinary skill in the art. 
[0025] Security center 119 is connected to network 
111 via communication link 121. Of course, when secu- 
rity center 11 9 is made up of more than one part, or is 
replicated, communication link 121 is construed as cov- 
ering all the necessary communications paths between 
network 111 and the various parts or replicas. 
[0026] FIG. 2 shows an exemplary process, in flow 
chart form, for performing a handoff between the base 
stations of FIG. 1 in accordance with the principles of 
the invention. More specifically, as part of the handoff 
process, a base station may discover and update at 
least portions of the "map" of the base stations, i.e., the 
pattern of neighboring base stations and related infor- 
mation, if any. See, for example, our concurrently filed 
United States Patent Application Serial No. (case Dav- 
ies 1 -5) which is incorporated by reference as if fully set 
forth herein. The portion of the map that is discovered 
by a particular base station is typically its neighbors to 
which it can possibly handoff a call it is serving. It takes 
at least one handoff with each such base station neigh- 
bor for the particular base station to discover its entire 
local map. 

[0027] The process is entered in step 201 when it is 
determined that a wireless terminal, e.g., wireless ter- 
minal 1 01 (FIG. 1 ), requires a handoff, because the sig- 
nal of the radio link of the base station with which it is 
communicating, e.g., base station 103-1 (FIG. 1) has 
become sufficiently weaker than that of another partic- 
ular base station, e.g., base station 1 03-2, so that it ap- 
pears that the other particular base station could provide 
a better radio link. Next conditional branch point 203 
(FIG. 2) tests to determine if the connection to the first 
base station, e.g., base station 103-1 of FIG. 1 , still ex- 
ists, since it is possible that the received signal from the 
first base station became so weak at the wireless termi- 
nal, or the signal received at the first base station from 
the wireless terminal became so weak, that the connec- 
tion between the first base station and the wireless ter- 
minal has become severed prior to a handoff being 
achieved. If the test result in step 203 is YES, indicating 
that that the connection continues to exist between the 
first base station and the wireless terminal, control pass- 
es to step 205, in which the wireless terminal requests 
a handoff from the first base station to the second base 
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station, e.g., base station 103-2 of FIG. 1 . Alternatively, 
the wireless terminal may send various measurements 
of the signal strengths as received at the wireless ter- 
minal for the first and second base stations to the first 
base station, which determines that it is an appropriate s 
time for a handoff . The first base station therefore telis 
the wireless terminal to connect to the second base sta- 
tion. 

[0028] Next, conditional branch point 207 tests to de- 
termine if the first base station "knows" the second base 
station, i.e., the first base station has the second base 
station listed in its "map" information, such a listing hav- 
ing been the result of a previous handoff of a wireless 
terminal between the first and second base stations. 
More specifically, as part of the listing in the map infor- 
mation, the first base station may know a) the base sta- 
tion identification of the second base station, b) the net- 
work address of the second base station, e.g., its IP ad- 
dress, and c) security information, such as the public 
key of the second base station, which is used to secure 
communication between the first and second base sta- 
tions, in accordance with an aspect of the invention. If 
the test result in step 207 is NO, indicating the first base 
station does not "know" the second base station, control 
passes to step 209, in which the first base station tells 
the wireless terminal that it does not know the second 
base station and that the wireless terminal must arrange 
for a wireless link connection with the second base sta- 
tion on its own. This may be achieved, for example, by 
using the same process that a wireless terminal uses to 
establish an initial wireless link with a base station when 
it first powers up within the cell served by that base sta- 
tion, as described further hereinbelow. 
[0029] If the test result in step 203 is NO, indicating 
that the connection from the wireless terminal to the first 
base station had been terminated, or after step 209, 
control passes to step 211 , in which the wireless termi- 
nal requests that the second base station establish with 
it a wireless link. In response to this request, in condi- 
tional branch point 212, the second base station tests 
to determines if it knows the first base station. If the test 
result in step 21 2 is NO, indicating that the second base 
station does not know the first base station, control 
passes to step 213, in which the second base station 
attempts to authenticate the wireless terminal, which 
typically requires consultation of information stored in a 
security center, e.g., security center 119 of FIG. 1. 
Thereafter, control passes to step 215 and the process 
continues as described hereinbelow. If the test result in 
step 212 is YES, control passes to step 214, in which 
security information for the wireless terminal is request- 
ed of the first base station, and received therefrom, by 
the second base station, in accordance with the princi- 
ples of the invention. Advantageously, the second base 
station, which already trusts the first base station, need 
not engage in authenticating the wireless terminal with 
the security center, thus saving considerable time and 
facilitating the handoff process. Although not shown in 



FIG. 2, because it is expected to be a somewhat unusual 
situation, in the event there is no security information 
available at the first base station, e.g., all of the security 
information available to the first base station has already 
been used up, control should be passed to step 213. 
[0030] If the test result in step 207 is YES, indicating 
thatthe first base station knows the second base station, 
control passes to conditional branch point 208 in which 
the first base station tests to determine if it has security 
information available regarding the wireless terminal 
that can be used by the second base station, in accord- 
ance with the principles of the invention. Such security 
information may be challenge-response authentication 
pairs and/or encryption keys associated with the wire- 
less terminal, or the like. If the test result in step 208 is 
NO, indicating that the first base station does not have 
any security information available regarding the wire- 
less terminal that can be used by the second base sta- 
tion, control passes to step 209, and the process con- 
tinues as described above. If the test result in step 208 
is YES, indicating that the first base station has security 
information available regarding the wireless terminal 
that can be used by the second base station, control 
passes to step 221 , in which the first base station sends, 
e.g., on its own accord, the available security informa- 
tion to the second base station, in accordance with the 
principles of the invention. The sending of such security 
information may be construed at the second base sta- 
tion as a request for a handoff of the wireless terminal 
from the first base station to the second base station. 
Advantageously, the second base station, which al- 
ready trusts the first base station, need not engage in 
authenticating the wireless terminal with the security 
center, thus saving considerable time and facilitating the 
handoff process. 

[0031] Next, in step 223, the wireless terminal re- 
quests that the second base station establish with it a 
wireless link. Thereafter, or after the execution of step 
214, control passes to conditional branch point 225, 
which tests to determine if the wireless terminal was us- 
ing encryption to communicate its data with the first base 
station. If the test result in step 225 is NO, indicating a 
nonencrypted link was used by the wireless terminal to 
communicate its data with the first base station, control 
passes to step 227, in which the second base station 
uses the security information it obtained from the first 
base station to authenticate the wireless terminal. 
[0032] Thereafter, conditional branch point 215 tests 
to determine if the wireless terminal was successfully 
authenticated. If the test result In step 215 is YES, indi- 
cating that the wireless terminal is allowed to utilize the 
base stations for communication, control passes to step 
231 , in which the wireless terminal is connected for car- 
rying user traffic to the second base station. Thereafter, 
the process is exited in step 233. If the test result in step 
215 is NO, indicating that the wireless terminal is not 
allowed to utilize the base stations for communication, 
control passes to step 233 and the process is exited. 
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[0033] lithe test result in step 225 is YES, indicating 
that encrypted link was used by the wireless terminal to 
communicate its data with the base station, control 
passes to step 229, in which the enciphering and deci- 
phering of data process is initiated between the wireless 
terminal and the second base station. To this end, the 
ciphering algorithm is initialized. Once user data begins 
to flow, it will be appropriately encrypted or decrypted 
automatically. Note that use of an encrypted link with a 
new ciphering key passed from the first base station to 
the second base station, after the wireless terminal is 
authenticated upon activation in the cell of a base station 
that did not participate in an expedited handoff to receive 
the wireless terminal, achieves the same goal as a direct 
reauthentication of the wireless terminal. 
[0034] Control then passes to step 231 , in which the 
wireless terminal is connected for carrying user traffic to 
the second base station. Also, as part of this step, other 
portions of the network which were transmitting data to 
the wireless terminal via the first base station are in- 
structed to now transmit their data to the wireless termi- 
nal via the second base station, e.g., using the tech- 
niques of the well known Mobile Internet Protocol. 
Thereafter, the process is exited in step 233. 
[0035] Note that a YES result in step 207 implies that 
the second base station likewise knows the first base 
station, which would only not be true in unusual cases 
of error. Such error, which would be indicated by a re- 
fusal of the second base station to participate in an ex- 
pedited handoff, requires processing, e.g., having con- 
trol pass to step 209 to perform a nonexpedited handoff. 
[0036] Note also that the first base station may not 
send the second base station all the security information 
it initially received. One reason for this may be that the 
first base station used some of that information in com- 
municating with the wireless terminal, and to help foil 
any security attacks it is good policy to use certain types 
of security information, such as challenge-response 
pairs or encryption keys, only once. Further, note that 
security information obtained by the first base station 
may have been obtained from the security center or an- 
other base station. 



Claims 

1 . A method for facilitating secure handoff in a network 
having at least first and second wireless base sta- 
tions and a least one wireless mobile terminal, the 
method comprising the steps of: 

receiving a request from said at least one wire- 
less mobile terminal for a handoff from said first 
base station to said second base station; and 
transferring security Information from said first 
base station to said second base station in re- 
sponse to said request. 



2. The invention as defined in claim 1 further wherein 
said security information includes a set including at 
least a random number, an authenticator derivable 
by said wireless mobile terminal but not said first or 

5 second base stations, and a key 

3. The invention as defined in claim 1 further wherein 
at least a portion of said security information is used 
to validate said at least one mobile wireless terminal 

10 to said second base station. 

4. The invention as defined In claim 1 further wherein 
said security information transferred from said first 
base station to said second base station in re- 
ts sponsetosaid request is less than all of the security 

information received by said first base station. 

5. The invention as defined in claim 4 wherein all of 
the security information received by said first base 

20 station was received from a wireless mobile termi- 
nal validation system. 

6. The invention as defined in claim 4 wherein all of 
the security information received by said first base 

25 station was received from a third base station. 

7. The invention as defined in claim 1 wherein said 
transferring security information from said first base 
station to said second base station in response to 

30 said request is performed only when said first base 
station knows said second base station prior to said 
receiving step. 

8. The invention as defined in claim 1 further compris- 
es ing the step of initiating an encrypted link between 

said second base station and said wireless terminal 
when said first base station and said wireless ter- 
minal were communicating using an encrypted link, 
said second base station using said security infor- 
^0 mation transferred from said first base station to 
said second base station in initiating said encrypted 
link between said second base station and said 
wireless terminal. 



^5 9. A method for performing handoffs in a network for 
providing wireless communication service having at 
least first and second wireless base stations and a 
least one wireless terminal, the method comprising 
the steps of: 

50 

transmitting a request, from said wireless ter- 
minal for a handoff between said first base sta- 
tion to said second base station; 
receiving a response at said wireless terminal 
55 when said second base station knows said first 

base station prior to receiving said request in- 
dicating that said second base station can en- 
gage in facilitated handoffs with said first base 
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station; and 

connecting said wireless terminal for user traffic 
to said second base station. 

10. The invention as defined in claim 9 wherein said fa- 
cilitated handoff employs information about said 
wireless terminal transferred from said first base 
station to second base station. 

11. The invention as defined in claim 10 wherein said 
information is security information. 

12. The invention as defined in claim 10 wherein said 
information is security information received from a 
security center. 

13. The invention as defined in claim 10 wherein said 
information is security information received from a 
base station other than said first or second base sta- 
tions. 

14. The invention as defined in claim 10 wherein said 
information is security information and includes at 
least one from the set consisting of: (i) a password, 
(ii) a challenge-response pair, and (iii) a challenge- 
response cipher key tuple. 

15. The invention as defined in claim 10 wherein said 
information is security information that is received 
over a network for inter base station communica- 
tion. 

16. The invention as defined in claim 10 wherein said 
connecting step further includes the step of 

initiating an encrypted link between said sec- 
ond base station and said wireless terminal when 
said first base station and said wireless terminal 
were communicating using an encrypted link prior 
to said handoff request, said second base station 
using security information transferred from said first 
base station to said second base station as part of 
said response in initiating said encrypted link be- 
tween said second base station and said wireless 
terminal. 

1 7. A method for performing handoffs in a network hav- 
ing at least first and second wireless base stations 
and a least one wireless terminal, the method com- 
prising the steps of: 

transmitting a request, from said wireless ter- 
minal for a handoff between said first base sta- 
tion to said second base station; 
when said second base station does not know 
said first base station prior to receiving said re- 
quest, receiving at said wireless terminal an in- 
dication that it must connect to said second 
base station without benefit of information sup- 



plied from said first base station. 

18. The invention as defined in claim 17 wherein said 
information is security information. 

5 

19. The invention as defined in claim 17 wherein said 
information is security information received from a 
security center. 

10 20. The invention as defined in claim 17 wherein said 
information is security information received from a 
base station otherthan said first or second base sta- 
tions. 

15 21 . A method for performing a handoff in a wireless net- 
work having at least first and second base stations 
and a least one wireless terminal, the method com- 
prising the steps of: 

receiving a request, by said second base sta- 
tion, from said wireless terminal for a handoff 
between said first base station to said second 
base station; 

performing an expedited handoff when second 
base station knows said first base station prior 
to receiving said request; and 
performing a nonexpedited handoff when sec- 
ond base station does not know said first base 
station prior to receiving said request. 

22. The invention as defined in claim 21 wherein said 
step of performing an expedited handoff includes 
the step of transferring security information from 
said first base station to said second base station. 



25 



30 



35 



40 



45 



50 



7 



EP 1 124 397 A2 



FIG. 1 




103-1 
BASE 
STATION 



8 



EP1 124 397 A2 



48 

O UJ CO 
UJ Q£ 
OC S uj 
* CO 

^ •« 2 

5 o "B 

£uj2: 



Z 

o 

3 

CO 

UJ 

CO 

3 



o 

cm 



CM 

5 



7s 



4> 



o 



CO 



01 

UJ h= 

z «tf 

!2 



CO 
UJ 



. CO 



2 a g 

° 

z co 
o ^ fc= 



CO oc 

UJ 



£ CO £ 
S CO S 



CM 



g 

u_ z 

U- g 

I K 

; UJ 
CO 

CO -o 

IS 

3 CO 
QC 

UJ UJ 




CO 



© 



if 

CO o UJ 
U. CO 

uz< 

co — S 

™ fc= T> 

-o as — 

C 3 

CM CJ 
UJ 
CO 



o 




CO 



o 

; ^ 

: uj 
— > co 

UJ co 

co 

g! 

gu 

co 

UJ ^ 

CO _ 

<t z 

a 2 



o 



CO 
UJ 



o o o 

CM CM CM 



CO — 

si- 

Z u 
£ CO 3 

= 5 1 



03a 

: 5r co 

< UJ 

» co o 

O uj S 
23 oc ^ 



CM 











ELESS 


STATIO 


INAL 


OC 


OC 


UJ 


UJ 


«< 


CD 


ELESS 


CO 




CO 
UJ 


c 

CM 






O 




0 »— 

UJ 




oc 


z 

=3 



O uj 

U CO 




it 



CM 
CM 



9 



